External Authentication Reference

 

Available ways of using external authentication depend on the operating system used on the server that is running ISL Conference Proxy. Please refer to the appropriate section below.


Important: Please replace 1.2.3.4 and 1.2.3.5 with the appropriate authenticator server address(es) for your situation.

Important: Please note that all external authentication strings must end with a semicolon.

Linux

Please choose the appropriate section based on the external authenticator you are using:

  • FreeRADIUS (requires FreeRADIUS)
/usr/bin/perl;authenticator/FreeRADIUS.pl;HOST;1.2.3.4,1.2.3.5;SECRET;abc;
  • Radius (requires CPAN module RadiusPerl - use libauthen-radius-perl on debian)
/usr/bin/perl;authenticator/RadiusPerl.pl;HOST;1.2.3.4,1.2.3.5;SECRET;abc;
  • LDAP (requires CPAN modules perl-ldap and IO-Socket-SSL - use libnet-ldap-perl and libio-socket-ssl-perl on debian)
  1. direct bind approach (for Microsoft Active Directory) - replace MAPUSER to match your environment:
/usr/bin/perl;authenticator/perl-ldap.pl;HOST;ldap://1.2.3.4,ldap://1.2.3.5;MAPUSER;@USERNAME@@example.com;
  1. search approach (for Novell eDirectory and OpenLDAP) - replace SEARCHBASE and SEARCHFILTER to match your environment:
/usr/bin/perl;authenticator/perl-ldap.pl;HOST;ldap://1.2.3.4,ldap://1.2.3.5;SEARCHBASE;ou=People,dc=Company;SEARCHFILTER;uid=@USERNAME@;


Note: If you use SSL, please replace ldap:// with ldaps://

Note: If you require a special username and password to connect (i.e. anonymous bind not allowed or it does not have enough privileges), then specify this username and password using BINDDN and BINDPASSWORD (please note that you need to properly escape certain special characters if you have them in the password, e.g. % to %25, ; to %3B etc.).

Note: If you wish to add a group membership check, you can do it like this:

(&(uid=@USERNAME@)(groupMembership=cn=somegroup,ou=Groups,dc=Company))

If you are using AD and wish to use subgroups (e.g. you have a top group Top_ISL_Group and its members are groups like local1_ISL_Group, local2_ISL_Group etc., but you assign users to subgroups, not to the top group directly), then you would do it like this in order to instruct AD to walk the group chain:

(&(sAMAccountName=@USERNAME@)(memberOf:1.2.840.113556.1.4.1941:=cn=Top_ISL_Group,ou=Groups,dc=Company))

Note: If you are using AD, please note that users on ISL Conference Proxy are case-sensitive while your AD most likely is not. This means that if you login with e.g. User1, user1 or USeR1, three users will be created on ISL Conference Proxy even though they match the same user on AD. In order to avoid this and always create just the user using the exact same casing from your AD, please use the REMAP parameter (important: the string between two @ should be lowercased!), e.g. REMAP;\\default\@samaccountname@;


Windows

You can use either perl or .NET for external authentication.

Important: If using perl, the following examples assume that it is installed in c:\perl.

Please choose the appropriate section based on the external authenticator you are using:

  • Radius (requires CPAN module RadiusPerl)
c:\perl\bin\perl.exe;authenticator\RadiusPerl.pl;HOST;1.2.3.4,1.2.3.5;SECRET;abc;
  • LDAP
  1. direct bind approach (for Microsoft Active Directory) - replace MAPUSER to match your environment:
perl (requires CPAN modules perl-ldap and IO-Socket-SSL):

c:\perl\bin\perl.exe;authenticator\perl-ldap.pl;HOST;ldap://1.2.3.4,ldap://1.2.3.5;MAPUSER;@USERNAME@@example.com;

.NET (requires .NET Framework 2.0 or newer):

authenticator\WinLdap.exe;HOST;1.2.3.4,1.2.3.5;MAPUSER;@USERNAME@@example.com;
  1. search approach (for Novell eDirectory and OpenLDAP) - replace SEARCHBASE and SEARCHFILTER to match your environment:
perl (requires CPAN modules perl-ldap and IO-Socket-SSL):

c:\perl\bin\perl.exe;authenticator\perl-ldap.pl;HOST;ldap://1.2.3.4,ldap://1.2.3.5;SEARCHBASE;ou=People,dc=Company;SEARCHFILTER;uid=@USERNAME@;

.NET (requires .NET Framework 2.0 or newer):

authenticator\WinLdap.exe;HOST;1.2.3.4,1.2.3.5;SEARCHBASE;ou=People,dc=Company;SEARCHFILTER;uid=@USERNAME@;

Note: If you use SSL, please replace ldap:// with ldaps://

Note: If you require a special username and password to connect (i.e. anonymous bind not allowed or it does not have enough privileges), then specify this username and password using BINDDN and BINDPASSWORD (please note that you need to properly escape certain special characters if you have them in the password, e.g. % to %25, ; to %3B etc.).

Note: If you wish to add a group membership check, you can do it like this:

(&(uid=@USERNAME@)(groupMembership=cn=somegroup,ou=Groups,dc=Company))

If you are using AD and wish to use subgroups (e.g. you have a top group Top_ISL_Group and its members are groups like local1_ISL_Group, local2_ISL_Group etc., but you assign users to subgroups, not to the top group directly), then you would do it like this in order to instruct AD to walk the group chain:

(&(sAMAccountName=@USERNAME@)(memberOf:1.2.840.113556.1.4.1941:=cn=Top_ISL_Group,ou=Groups,dc=Company))

Note: If you are using AD, please note that users on ISL Conference Proxy are case-sensitive while your AD most likely is not. This means that if you login with e.g. User1, user1 or USeR1, three users will be created on ISL Conference Proxy even though they match the same user on AD. In order to avoid this and always create just the user using the exact same casing from your AD, please use the REMAP parameter (important: the string between two @ should be lowercased!), e.g. REMAP;\\default\@samaccountname@;

Having chosen the desired external authentication method, you should first test it from the command line - please check the samples below and modify accordingly.


Linux

In the ISL Conference Proxy's authenticator subdirectory, use the perl-ldap.pl like this (use ' for escaping):

perl perl-ldap.pl HOST ldap://1.2.3.4 SEARCHBASE 'ou=People,dc=Company,dc=local' SEARCHFILTER 'uid=@USERNAME@' USERNAME 'testuser' PASSWORD ***

With the appropriate username and password combination you will get the OK reply, otherwise you  will get an error message informing you that the supplied credential is invalid.


Windows

In the ISL Conference Proxy's authenticator subdirectory, use the WinLdap.exe like this (please note that on Windows you need to use " for escaping instead of ' and if the username contains a space, put " around it):

WinLdap.exe HOST 1.2.3.4 SEARCHBASE "ou=People,dc=Company,dc=local" SEARCHFILTER "uid=@USERNAME@" USERNAME "testuser" PASSWORD ***

With the appropriate username and password combination you will get the OK reply, otherwise you  will get an error message informing you that the supplied credential is invalid.

Now that you know that those settings work fine, please follow these steps to set the external authenticator in ISL Conference Proxy:

  1. Login to your ISL Conference Proxy administration (http://localhost:7615/conf).
  2. Go to User management, click on the Domains tab.
  3. Select the desired domain that will use external authentication (e.g. ldapusers).
  4. Click on the Security tab.
  5. Uncheck the External authenticator option and paste the appropriate modified line from the top part of this topic (with ; as the delimiter - e.g. .NET LDAP direct bind approach example with modified HOST address(es) and MAPUSER).
  6. Click Save.

This concludes the external authentication configuration. Time to test it - you can go to http://localhost:7615/ and click Product Login in the top right corner. Use the appropriate domain prefix (in the example above it would be \\ldapusers\testuser), add the LDAP username and password and you should be able to login.

Note: If you have a private cloud with a mix of platforms (windows and linux servers) or would simply like to create a combined external authentication string which covers both platforms, please use the following syntax:

{platform=windows} c:\perl\bin\perl.exe;...;

{platform=linux} /usr/bin/perl;...;

You can check our one time password example for a simple test illustration of external authentication.

You are also welcome to check our blog post for more information and an example.

Was this article helpful?